Computer Weekly has now published Quocirca’s buyer’s guide to the General Data Protection Regulation (GDPR), Dealing with data under GDPR. The guide outlines how mid-market organisations can reduce the risk of potentially big fines for mishandling personal data; either by taking themselves out of scope for the regulation or outsourcing the administration and data security requirements.
For those still trying to make sense of it all, here is Quocirca whistle stop tour of the GDPR:
The GDPR applies to data controllers (organisations that collect and store personal data to support business processes) and data processors (third parties that process data on behalf of data controllers). The regulation applies to any organisation that deals with data regarding EU-citizens whether they are based in the EU or beyond its borders.
- Personal data is anything that can be used to directly or indirectly identify a person; e.g. names, photos, email addresses, social media posts, medical records and IP addresses (so simply gathering information on devices via an IoT application may bring an organisation into scope).
- The maximum fines are big; the greater of 4% of annual global turnover or €20 Million. Fines can be levied for both data breaches and for failing to meet administrative requirements.
- Privacy by design and by default must be built in to relevant processes and applications (in other words, the systems that process data must be secure and timely data breach detection capabilities must be in place).
- Data Protection Impact Assessments (DPIA) of the risk to data subjects (the likes of you and me) may be required before personal data is processed with bi-annual Data Protection Compliance Reviews
- Consent for processing must be obtained from data subjects to process their data.
- When data is leaked, there must be timely breach notification to both data subjects and the relevant authorities (in the UK the Information Commissioner’s Office or ICO).
- Data subjects have a right to access their data and for it to be supplied to them in a form that enables data portability.
- Data subjects can request data erasure (the so called right to be forgotten). This is not an absolute right, there are statutory obligations to keep certain data and it is allowed for legitimate research purposes.
- Only organisations that conduct regular and systematic monitoring of data subjects on a large scale need to appoint a Data Protection Officer (DPO).
Quocirca’s buyer’s guide to the GDPR, Dealing with data under GDPR, can be viewed on Computer Weekly at this link: https://www.computerweekly.com/feature/Dealing-with-data-under-GDPR